Stealc
Malware⚠️ Overview
Stealc is an information-stealing malware first documented by the SEKOIA Threat Research team in September 2023, operating as a commodity stealer-for-sale on Russian-language underground forums and written in C/C++. Categorized as an information stealer, it targets credentials, cryptocurrency wallets, browser data, and session tokens from infected Windows systems, and is continuously updated by its developer(s) who sell subscriptions for $150–$300 per month.
🔧 Technical Capabilities
Stealc propagates primarily via phishing campaigns, malicious ads (malvertising), and drive-by downloads, often delivered through downloaders like SmokeLoader or PrivateLoader. It establishes C2 communication using encrypted HTTP POST requests to its panel with JSON payloads; some versions use Telegram bots for exfiltration. Persistence is achieved through scheduled tasks or registry Run keys, while evasion includes API unhooking, process injection (e.g., into explorer.exe), and anti-debugging checks via NtQueryInformationProcess. It collects data from over 20 Chromium-based browsers (Chrome, Edge, Brave, Opera) and 10+ Firefox forks, targeting specific crypto wallets (e.g., MetaMask, Exodus, Electrum) and 2FA tools like Authy and Duo Mobile. The malware dynamically fetches web injection configurations from the C2 to target over 600 websites including Amazon, PayPal, and Coinbase, as reported in a February 2024 analysis by Zscaler ThreatLabz.
📜 History & Notable Incidents
First appearing on underground forums in January 2023, Stealc gained traction after the decline of Raccoon Stealer, with its builder released in September 2023. In late 2023, a large-scale campaign dubbed “ClickFix” delivered Stealc via fake CAPTCHA pages targeting job seekers and tech professionals across North America and Europe. No high-profile named victims or law enforcement actions have been publicly confirmed as of early 2025, but the malware has been linked to multiple malicious SEO and search engine ad campaigns.
🔍 Detection Indicators
Known file hashes include SHA256 values from early variants (e.g., 0a4c9e... from SEKOIA's report), though these change frequently. Behavioral indicators: Stealc drops executables with random names in %TEMP% or %APPDATA%, creates mutexes like “Stealc_” plus a GUID, and makes DNS requests to dynamic domain patterns ending in .xyz or .top. Network IOCs include C2 URLs containing “/gate/gate.php” and User-Agent strings mimicking Chrome 96 or 104. Registry persistence may appear under “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” with an obfuscated value name.
☠️ Risk & Impact
Stealc poses severe risk of credential theft, financial account takeover, and cryptocurrency wallet emptying, with victims ranging from individual consumers to employees in finance, e-commerce, and tech sectors. The malware directly exfiltrates saved passwords, cookies, and autofill data, enabling follow-on attacks like business email compromise (BEC). Reported losses per incident vary but can exceed $10,000 in stolen crypto assets per victim, as noted in Sekoia’s analysis of victim data from seized C2 logs.
🛡️ Mitigation
Defenses include enabling browser credential monitoring and MFA, blocking untrusted download sites, and deploying EDR solutions with YARA rules for Stealc components (see Sekoia's open-source rules on GitHub). Regularly patch browsers and disable macro execution in documents; use network detection for outbound HTTP POSTs to uncommon TLDs. The MITRE ATT&CK techniques leveraged include T1055.012 (Process Injection: Process Hollowing), T1071.001 (C2: Web Protocols), and T1555 (Credentials from Password Stores).
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.